Double-Layer PGP Encryption for Incoming External Emails
Double-layper PGP is an extra security measure Private.Ki uses when you receive an already-encrypted email from outside. In simple terms, if someone not on Private.Ki sends you a PGP-encrypted email, our system adds another layer of PGP encryption on top of that message.
The reason: An external sender can encrypt one PGP message for several recipients at once. In that case the encrypted payload is identical across all recipients, and if we stored that same ciphertext in two Private.Ki mailboxes it would be possible to link those users by equality of the stored message. By adding a second PGP layer per recipient, we create a distinct outer ciphertext for each account. This reduces cross‑user linkability and limits what can be inferred about who received the same mail.
Double PGP encryption of incoming external emails
Suppose an external sender (outside Private.Ki) wants to send you a secure email. They use your PGP public key to encrypt the message on their end. When that encrypted email arrives at Private.Ki, it’s indeed secure (only your corresponding private key can decrypt it). However, Private.Ki doesn’t stop there – we immediately wrap the incoming encrypted message in a second layer of encryption, again using your public key.
In other words, the already-encrypted email gets encrypted again with PGP before being stored on our servers. This results in a double-encrypted email (two layers of PGP) sitting in your mailbox.
Reading a double-encrypted email
When you open the message in your Private.Ki mailbox, your device uses your private key to decrypt the outer PGP layer that Private.Ki added.
After removing this outer layer, what remains is the original email exactly as the external sender encrypted it (still protected by PGP with your key). Your device then immediately decrypts that inner layer as well (using the same private key) to reveal the actual email content so you can read it.
This process is handled automatically – from your perspective, you just open the email and it appears, without needing to manually decrypt twice.
After you’ve opened the email, Private.Ki will re-encrypt the message for storage. It will be encrypted with AES encryption for storage in your mailbox.